Joseph Marks | Nextgov | April 20, 2017 | 0 Comments

Want to Rank Devices’ Cybersecurity? Here’s How to Do it.

Macrovector/Shutterstock.com

Want to tell consumers how cybersecure their internet-connected cars, cameras and toasters are? That might be harder than it looks, a cybersecurity think tank said Thursday.

Creating such a rating system is an “excellent idea,” the Institute for Critical Infrastructure Technology said in Thursday’s analysis. It will be far more difficult to implement, however, than rating cars for fuel efficiency or buildings for energy conservation, ICIT Senior Fellow James Scott said.

Why? First, there are the companies that offer digital products, which will want to water down ratings criteria. Then, there are consumers unwilling to wade through the fine printing of ratings too complex. Finally, there’s the threat landscape itself, which is constantly evolving, Scott said.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

The analysis was prompted by Cyber Shield, a legislative proposal floated by Sen. Edward Markey, D-Mass., during a March Commerce Committee hearing. Markey described the program as a voluntary one-star to five-star rating that would vet connected devices on a number of cybersecurity metrics including how easily they can be updated to defend against new threats.

Markey’s proposal got a mixed reception from industry panelists at the hearing who worried the ratings would quickly fall out of date or that consumers would become overconfident in a device’s security because of a high rating and not take basic precautions.

Venky Ganesan, who chairs the National Venture Capital Association, expressed concern government-backed ratings would inhibit innovation and that government should leave the job to market incentives.

Markey shot back that “markets had years to do something,” but devices are no more secure.

There are three main criteria to ensure a Cyber Shield program works, ICIT’s Scott said.

First, officials must ensure industry leaders are involved in developing the ratings but not leading the team. If industry leaders play too large a role, they could water down the rankings to the point they serve little value or large companies could “weaponized” the rankings so only the biggest companies can afford to earn five stars, Scott said.

Second, the program should include a substantial public education component aimed at making consumers care enough about cybersecurity that the rankings actually change their buying decisions.

“This is a daunting effort; however, it is a cultural shift that needed to happen years ago but lacked the right fulcrum,” Scott said. “An education provision of Cyber Shield will also provide a significant secondary victory, even if industry does not widely adopt the certification or if implementation proves difficult.”

Finally, the rankings themselves should go beyond a mere one-star to five-star ranking to incorporate more dynamic data, Scott said, perhaps through a QR code that calculates real-time scores based on the threat landscape.

“An artificial intelligence system could even be trained to weigh the data and calculate accurate scores,” Scott said. “Instead of a star system (i.e. 4/5, etc.), Cyber Shield might be more meaningful and effective with a confidence score (i.e. there is a 92 percent chance that this device collects, processes and transmits data securely).”

Even if ratings are static, those ratings should be calculated when devices are close to market, after as much of their supply chains are completed as possible, Scott said, especially overseas portions.

Rankings should also be done by trusted third parties, not by companies themselves, he said.

Comments
JOIN THE DISCUSSION

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

    Download
  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

    Download
  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

    Download
  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

    Download
  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.

    Download

When you download a report, your information may be shared with the underwriters of that document.